From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F00A5C4727E for ; Thu, 1 Oct 2020 15:48:27 +0000 (UTC) Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 71BE2206A1 for ; Thu, 1 Oct 2020 15:48:27 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="sY7GNFIv" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 71BE2206A1 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=lists.linux-foundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=containers-bounces@lists.linux-foundation.org Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 109CF82419; Thu, 1 Oct 2020 15:48:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N5Th7DGc8yZ6; Thu, 1 Oct 2020 15:48:26 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by whitealder.osuosl.org (Postfix) with ESMTP id 2BD2D8214C; Thu, 1 Oct 2020 15:48:26 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0D28AC016F; Thu, 1 Oct 2020 15:48:26 +0000 (UTC) Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 59E2EC0051 for ; Thu, 1 Oct 2020 15:48:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 1C098229D4 for ; Thu, 1 Oct 2020 15:48:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nmh6yBhRNYvV for ; Thu, 1 Oct 2020 15:48:22 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ej1-f68.google.com (mail-ej1-f68.google.com [209.85.218.68]) by silver.osuosl.org (Postfix) with ESMTPS id 6093A226F3 for ; Thu, 1 Oct 2020 15:48:22 +0000 (UTC) Received: by mail-ej1-f68.google.com with SMTP id gr14so8828188ejb.1 for ; Thu, 01 Oct 2020 08:48:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=8IFUkJPw/kRc69ZxpOZH7IdKr2uNB4GcMACMPjhB0mM=; b=sY7GNFIvYaNfMnuHljMi/SlQZ6n4BcGZhCTAkvb73jwrTAP++F0FA96srmG4n+saym LPs0Qo1rf+Gc/KbMjrfFVvv0dVBlQo5xErKWSXr8vfIbgudw/fJB81Prkbi9Pii7XtRh bwufKgriflGSXWbjmbN1+qvivFzU+VKLk390fTxTMNBo7z+CsZ1XFTp/HjN3R699Gw+C vfciTTmpKgNNA11LmOMtAz8ZR9nakBZvoaMyZp8Hz1UVlkM5vLsghRNGZtT0pDQ9PVkF +xdKQnhRbsvPbhl29QQtDseBMWcFAJ8tpq31IZJtch0aWdpaPLCLP06UMF/rwp7udtiZ WVOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=8IFUkJPw/kRc69ZxpOZH7IdKr2uNB4GcMACMPjhB0mM=; b=HIJOPfop/GHfS0dezEVXdY3Dk9oFIpXNv/1b4VJOUPTIryheD7fQQRBNDWKGchyMln wYYASM0qcZOG4WcoFlnIwsNUsHsVr37mCx2tihF4hZMCabZL9k9WEbKxdU8YKSgGH06v PZDyCWH4kYMkC07RFdcyPqlYkilKrwDnd5TrrJERHiD2LVe0k8bHTiMVskrDBAvz14Y5 MVDH+QUoFnf5V1+9TbWlFHukW56+fOkfcd84xkWcCNfC39/81tYVn2KRA1vHu6RK3P95 jP+6gMbr7Wf0Bh11CMNx0ZrImT9B1aJbs5H9/VptOd4jWdCn3ebgJk1flv+rvtTuzT5b J+fA== X-Gm-Message-State: AOAM5324b/pq35FAx3x17b2pF4lOGLPhGCztIkdz9EFLrKiq+IqCpEAi qZw/DWcQ2FkuVXOxjJt1ItV/g0Dna0blT3226iHnvQ== X-Google-Smtp-Source: ABdhPJzN5UXlteDmV4gmQvsi+vrDa7wXLtdd0FT669/Cj8yL3OSvmpnW8FNcV9j4cLbSCSgCO88bO4oWC48rzvXf8wo= X-Received: by 2002:a17:906:1f94:: with SMTP id t20mr8931066ejr.493.1601567300584; Thu, 01 Oct 2020 08:48:20 -0700 (PDT) MIME-Version: 1.0 References: <45f07f17-18b6-d187-0914-6f341fe90857@gmail.com> <20201001125043.dj6taeieatpw3a4w@gmail.com> In-Reply-To: <20201001125043.dj6taeieatpw3a4w@gmail.com> Date: Thu, 1 Oct 2020 17:47:54 +0200 Message-ID: Subject: Re: For review: seccomp_user_notif(2) manual page To: Christian Brauner Cc: linux-man , Song Liu , Will Drewry , Kees Cook , Daniel Borkmann , Giuseppe Scrivano , Robert Sesek , Linux Containers , lkml , Alexei Starovoitov , "Michael Kerrisk \(man-pages\)" , bpf , Andy Lutomirski , Christian Brauner X-BeenThere: containers@lists.linux-foundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux Containers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Jann Horn via Containers Reply-To: Jann Horn Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: containers-bounces@lists.linux-foundation.org Sender: "Containers" T24gVGh1LCBPY3QgMSwgMjAyMCBhdCAyOjU0IFBNIENocmlzdGlhbiBCcmF1bmVyCjxjaHJpc3Rp YW4uYnJhdW5lckBjYW5vbmljYWwuY29tPiB3cm90ZToKPiBPbiBXZWQsIFNlcCAzMCwgMjAyMCBh dCAwNTo1Mzo0NlBNICswMjAwLCBKYW5uIEhvcm4gdmlhIENvbnRhaW5lcnMgd3JvdGU6Cj4gPiBP biBXZWQsIFNlcCAzMCwgMjAyMCBhdCAxOjA3IFBNIE1pY2hhZWwgS2VycmlzayAobWFuLXBhZ2Vz KQo+ID4gPG10ay5tYW5wYWdlc0BnbWFpbC5jb20+IHdyb3RlOgo+ID4gPiBOT1RFUwo+ID4gPiAg ICAgICAgVGhlIGZpbGUgZGVzY3JpcHRvciByZXR1cm5lZCB3aGVuIHNlY2NvbXAoMikgaXMgZW1w bG95ZWQgd2l0aCB0aGUKPiA+ID4gICAgICAgIFNFQ0NPTVBfRklMVEVSX0ZMQUdfTkVXX0xJU1RF TkVSICBmbGFnICBjYW4gIGJlICBtb25pdG9yZWQgIHVzaW5nCj4gPiA+ICAgICAgICBwb2xsKDIp LCBlcG9sbCg3KSwgYW5kIHNlbGVjdCgyKS4gIFdoZW4gYSBub3RpZmljYXRpb24gIGlzICBwZW5k 4oCQCj4gPiA+ICAgICAgICBpbmcsICB0aGVzZSBpbnRlcmZhY2VzIGluZGljYXRlIHRoYXQgdGhl IGZpbGUgZGVzY3JpcHRvciBpcyByZWFk4oCQCj4gPiA+ICAgICAgICBhYmxlLgo+ID4KPiA+IFdl IHNob3VsZCBwcm9iYWJseSBhbHNvIHBvaW50IG91dCBzb21ld2hlcmUgdGhhdCwgYXMKPiA+IGlu Y2x1ZGUvdWFwaS9saW51eC9zZWNjb21wLmggc2F5czoKPiA+Cj4gPiAgKiBTaW1pbGFyIHByZWNh dXRpb25zIHNob3VsZCBiZSBhcHBsaWVkIHdoZW4gc3RhY2tpbmcgU0VDQ09NUF9SRVRfVVNFUl9O T1RJRgo+ID4gICogb3IgU0VDQ09NUF9SRVRfVFJBQ0UuIEZvciBTRUNDT01QX1JFVF9VU0VSX05P VElGIGZpbHRlcnMgYWN0aW5nIG9uIHRoZQo+ID4gICogc2FtZSBzeXNjYWxsLCB0aGUgbW9zdCBy ZWNlbnRseSBhZGRlZCBmaWx0ZXIgdGFrZXMgcHJlY2VkZW5jZS4gVGhpcyBtZWFucwo+ID4gICog dGhhdCB0aGUgbmV3IFNFQ0NPTVBfUkVUX1VTRVJfTk9USUYgZmlsdGVyIGNhbiBvdmVycmlkZSBh bnkKPiA+ICAqIFNFQ0NPTVBfSU9DVExfTk9USUZfU0VORCBmcm9tIGVhcmxpZXIgZmlsdGVycywg ZXNzZW50aWFsbHkgYWxsb3dpbmcgYWxsCj4gPiAgKiBzdWNoIGZpbHRlcmVkIHN5c2NhbGxzIHRv IGJlIGV4ZWN1dGVkIGJ5IHNlbmRpbmcgdGhlIHJlc3BvbnNlCj4gPiAgKiBTRUNDT01QX1VTRVJf Tk9USUZfRkxBR19DT05USU5VRS4gTm90ZSB0aGF0IFNFQ0NPTVBfUkVUX1RSQUNFIGNhbiBlcXVh bGx5Cj4gPiAgKiBiZSBvdmVycmlkZW4gYnkgU0VDQ09NUF9VU0VSX05PVElGX0ZMQUdfQ09OVElO VUUuCj4gPgo+ID4gSW4gb3RoZXIgd29yZHMsIGZyb20gYSBzZWN1cml0eSBwZXJzcGVjdGl2ZSwg eW91IG11c3QgYXNzdW1lIHRoYXQgdGhlCj4gPiB0YXJnZXQgcHJvY2VzcyBjYW4gYnlwYXNzIGFu eSBTRUNDT01QX1JFVF9VU0VSX05PVElGIChvcgo+ID4gU0VDQ09NUF9SRVRfVFJBQ0UpIGZpbHRl cnMgdW5sZXNzIGl0IGlzIGNvbXBsZXRlbHkgcHJvaGliaXRlZCBmcm9tCj4gPiBjYWxsaW5nIHNl Y2NvbXAoKS4gVGhpcyBzaG91bGQgYWxzbyBiZSBub3RlZCBvdmVyIGluIHRoZSBtYWluCj4gPiBz ZWNjb21wKDIpIG1hbnBhZ2UsIGVzcGVjaWFsbHkgdGhlIFNFQ0NPTVBfUkVUX1RSQUNFIHBhcnQu Cj4KPiBTbyBJIHdhcyBhY3R1YWxseSB3b25kZXJpbmcgYWJvdXQgdGhpcyB3aGVuIEkgc2tpbW1l ZCB0aGlzIGFuZCBhIHdoaWxlCj4gYWdvIGJ1dCBmb3Jnb3QgYWJvdXQgdGhpcyBhZ2Fpbi4uLiBB ZmFpY3QsIHlvdSBjYW4gb25seSBldmVyIGxvYWQgYQo+IHNpbmdsZSBmaWx0ZXIgd2l0aCBTRUND T01QX0ZJTFRFUl9GTEFHX05FV19MSVNURU5FUiBzZXQuIElmIHRoZXJlCj4gYWxyZWFkeSBpcyBh IGZpbHRlciB3aXRoIHRoZSBTRUNDT01QX0ZJTFRFUl9GTEFHX05FV19MSVNURU5FUiBwcm9wZXJ0 eQo+IGluIHRoZSB0YXNrcyBmaWx0ZXIgaGllcmFyY2h5IHRoZW4gdGhlIGtlcm5lbCB3aWxsIHJl ZnVzZSB0byBsb2FkIGEgbmV3Cj4gb25lPwo+Cj4gc3RhdGljIHN0cnVjdCBmaWxlICppbml0X2xp c3RlbmVyKHN0cnVjdCBzZWNjb21wX2ZpbHRlciAqZmlsdGVyKQo+IHsKPiAgICAgICAgIHN0cnVj dCBmaWxlICpyZXQgPSBFUlJfUFRSKC1FQlVTWSk7Cj4gICAgICAgICBzdHJ1Y3Qgc2VjY29tcF9m aWx0ZXIgKmN1cjsKPgo+ICAgICAgICAgZm9yIChjdXIgPSBjdXJyZW50LT5zZWNjb21wLmZpbHRl cjsgY3VyOyBjdXIgPSBjdXItPnByZXYpIHsKPiAgICAgICAgICAgICAgICAgaWYgKGN1ci0+bm90 aWYpCj4gICAgICAgICAgICAgICAgICAgICAgICAgZ290byBvdXQ7Cj4gICAgICAgICB9Cj4KPiBz aG91bGRuJ3QgdGhhdCBiZSBzdWZmaWNpZW50IHRvIGd1YXJhbnRlZSB0aGF0IFVTRVJfTk9USUYg ZmlsdGVycyBjYW4ndAo+IG92ZXJyaWRlIGVhY2ggb3RoZXIgZm9yIHRoZSBzYW1lIHRhc2sgc2lt cGx5IGJlY2F1c2UgdGhlcmUgY2FuIG9ubHkgZXZlcgo+IGJlIGEgc2luZ2xlIG9uZT8KCkdvb2Qg cG9pbnQuIEV4Y2VlZWVwdCB0aGF0IHRoYXQgY2hlY2sgc2VlbXMgaW5lZmZlY3RpdmUgYmVjYXVz ZSB0aGlzCmhhcHBlbnMgYmVmb3JlIHdlIHRha2UgdGhlIGxvY2tzIHRoYXQgZ3VhcmQgYWdhaW5z dCBUU1lOQywgYW5kIGFsc28KYmVmb3JlIHdlIGRlY2lkZSB0byB3aGljaCBleGlzdGluZyBmaWx0 ZXIgd2Ugd2FudCB0byBjaGFpbiB0aGUgbmV3CmZpbHRlci4gU28gaWYgdHdvIHRocmVhZHMgcmFj ZSB3aXRoIFRTWU5DLCBJIHRoaW5rIHRoZXknbGwgYmUgYWJsZSB0bwpjaGFpbiB0d28gZmlsdGVy cyB3aXRoIGxpc3RlbmVycyB0b2dldGhlci4KCkkgZG9uJ3Qga25vdyB3aGV0aGVyIHdlIHdhbnQg dG8gZXRlcm5hbGl6ZSB0aGlzICJvbmx5IG9uZSBsaXN0ZW5lcgphY3Jvc3MgYWxsIHRoZSBmaWx0 ZXJzIiByZXN0cmljdGlvbiBpbiB0aGUgbWFucGFnZSB0aG91Z2gsIG9yIHdoZXRoZXIKdGhlIG1h biBwYWdlIHNob3VsZCBqdXN0IHNheSB0aGF0IHRoZSBrZXJuZWwgY3VycmVudGx5IGRvZXNuJ3Qg c3VwcG9ydAppdCBidXQgdGhhdCBzZWN1cml0eS13aXNlIHlvdSBzaG91bGQgYXNzdW1lIHRoYXQg aXQgbWlnaHQgYXQgc29tZQpwb2ludC4KClsuLi5dCj4gPiA+ICAgICAgICAgICAgaWYgKHByb2NN ZW1GZCA9PSAtMSkKPiA+ID4gICAgICAgICAgICAgICAgZXJyRXhpdCgiU3VwZXJ2aXNvcjogb3Bl biIpOwo+ID4gPgo+ID4gPiAgICAgICAgICAgIC8qIENoZWNrIHRoYXQgdGhlIHByb2Nlc3Mgd2hv c2UgaW5mbyB3ZSBhcmUgYWNjZXNzaW5nIGlzIHN0aWxsIGFsaXZlLgo+ID4gPiAgICAgICAgICAg ICAgIElmIHRoZSBTRUNDT01QX0lPQ1RMX05PVElGX0lEX1ZBTElEIG9wZXJhdGlvbiAocGVyZm9y bWVkCj4gPiA+ICAgICAgICAgICAgICAgaW4gY2hlY2tOb3RpZmljYXRpb25JZElzVmFsaWQoKSkg c3VjY2VlZHMsIHdlIGtub3cgdGhhdCB0aGUKPiA+ID4gICAgICAgICAgICAgICAvcHJvYy9QSUQv bWVtIGZpbGUgZGVzY3JpcHRvciB0aGF0IHdlIG9wZW5lZCBjb3JyZXNwb25kcyB0byB0aGUKPiA+ ID4gICAgICAgICAgICAgICBwcm9jZXNzIGZvciB3aGljaCB3ZSByZWNlaXZlZCBhIG5vdGlmaWNh dGlvbi4gSWYgdGhhdCBwcm9jZXNzCj4gPiA+ICAgICAgICAgICAgICAgc3Vic2VxdWVudGx5IHRl cm1pbmF0ZXMsIHRoZW4gcmVhZCgpIG9uIHRoYXQgZmlsZSBkZXNjcmlwdG9yCj4gPiA+ICAgICAg ICAgICAgICAgd2lsbCByZXR1cm4gMCAoRU9GKS4gKi8KPiA+ID4KPiA+ID4gICAgICAgICAgICBj aGVja05vdGlmaWNhdGlvbklkSXNWYWxpZChub3RpZnlGZCwgcmVxLT5pZCk7Cj4gPiA+Cj4gPiA+ ICAgICAgICAgICAgLyogU2VlayB0byB0aGUgbG9jYXRpb24gY29udGFpbmluZyB0aGUgcGF0aG5h bWUgYXJndW1lbnQgKGkuZS4sIHRoZQo+ID4gPiAgICAgICAgICAgICAgIGZpcnN0IGFyZ3VtZW50 KSBvZiB0aGUgbWtkaXIoMikgY2FsbCBhbmQgcmVhZCB0aGF0IHBhdGhuYW1lICovCj4gPiA+Cj4g PiA+ICAgICAgICAgICAgaWYgKGxzZWVrKHByb2NNZW1GZCwgcmVxLT5kYXRhLmFyZ3NbMF0sIFNF RUtfU0VUKSA9PSAtMSkKPiA+ID4gICAgICAgICAgICAgICAgZXJyRXhpdCgiU3VwZXJ2aXNvcjog bHNlZWsiKTsKPiA+ID4KPiA+ID4gICAgICAgICAgICBzc2l6ZV90IHMgPSByZWFkKHByb2NNZW1G ZCwgcGF0aCwgUEFUSF9NQVgpOwo+ID4gPiAgICAgICAgICAgIGlmIChzID09IC0xKQo+ID4gPiAg ICAgICAgICAgICAgICBlcnJFeGl0KCJyZWFkIik7Cj4gPgo+ID4gV2h5IG5vdCBwcmVhZCgpIGlu c3RlYWQgb2YgbHNlZWsoKStyZWFkKCk/Cj4KPiBXaXRoIG11bHRpcGxlIGFyZ3VtZW50cyB0byBi ZSByZWFkIHByb2Nlc3Nfdm1fcmVhZHYoKSBzaG91bGQgYWxzbyBiZQo+IGNvbnNpZGVyZWQuCgpw cm9jZXNzX3ZtX3JlYWR2KCkgY2FuIGVuZCB1cCBkb2luZyBlYWNoIHJlYWQgYWdhaW5zdCBhIGRp ZmZlcmVudApwcm9jZXNzLCB3aGljaCBpcyBzb3J0IG9mIHdlaXJkIHNlbWFudGljYWxseS4gWW91 IHdvdWxkIGVuZCB1cCB0YWtpbmcKcGFnZSBmYXVsdHMgYXQgcmFuZG9tIGFkZHJlc3NlcyBpbiB1 bnJlbGF0ZWQgcHJvY2Vzc2VzLCBibG9ja2luZyBvbgp0aGVpciBtbWFwIGxvY2tzLCBwb3RlbnRp YWxseSB0cmlnZ2VyaW5nIHRoZWlyIHVzZXJmYXVsdGZkIG5vdGlmaWVycywKYW5kIHNvIG9uLgoK V2hlcmVhcyBpZiB5b3UgZmlyc3Qgb3BlbiAvcHJvYy8kdGlkL21lbSwgdGhlbiByZS1jaGVjawpT RUNDT01QX0lPQ1RMX05PVElGX0lEX1ZBTElELCBhbmQgdGhlbiBkbyB0aGUgcmVhZCwgeW91IGtu b3cgdGhhdAp5b3UncmUgb25seSB0YWtpbmcgcGFnZSBmYXVsdHMgb24gdGhlIHByb2Nlc3Mgd2hl cmUgeW91IGludGVuZGVkIHRvIGRvCml0LgoKU28gdW50aWwgdGhlcmUgaXMgYSB2YXJpYW50IG9m IHByb2Nlc3Nfdm1fcmVhZHYoKSB0aGF0IG9wZXJhdGVzIG9uCnBpZGZkcywgSSB3b3VsZCBub3Qg cmVjb21tZW5kIHVzaW5nIHRoYXQgaGVyZS4KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX18KQ29udGFpbmVycyBtYWlsaW5nIGxpc3QKQ29udGFpbmVyc0BsaXN0 cy5saW51eC1mb3VuZGF0aW9uLm9yZwpodHRwczovL2xpc3RzLmxpbnV4Zm91bmRhdGlvbi5vcmcv bWFpbG1hbi9saXN0aW5mby9jb250YWluZXJz From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 64901C47420 for ; Thu, 1 Oct 2020 15:48:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1D2DE206A1 for ; Thu, 1 Oct 2020 15:48:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="sY7GNFIv" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732496AbgJAPsX (ORCPT ); Thu, 1 Oct 2020 11:48:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41860 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732308AbgJAPsW (ORCPT ); Thu, 1 Oct 2020 11:48:22 -0400 Received: from mail-ej1-x644.google.com (mail-ej1-x644.google.com [IPv6:2a00:1450:4864:20::644]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 505E8C0613E3 for ; Thu, 1 Oct 2020 08:48:22 -0700 (PDT) Received: by mail-ej1-x644.google.com with SMTP id p15so8776144ejm.7 for ; Thu, 01 Oct 2020 08:48:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=8IFUkJPw/kRc69ZxpOZH7IdKr2uNB4GcMACMPjhB0mM=; b=sY7GNFIvYaNfMnuHljMi/SlQZ6n4BcGZhCTAkvb73jwrTAP++F0FA96srmG4n+saym LPs0Qo1rf+Gc/KbMjrfFVvv0dVBlQo5xErKWSXr8vfIbgudw/fJB81Prkbi9Pii7XtRh bwufKgriflGSXWbjmbN1+qvivFzU+VKLk390fTxTMNBo7z+CsZ1XFTp/HjN3R699Gw+C vfciTTmpKgNNA11LmOMtAz8ZR9nakBZvoaMyZp8Hz1UVlkM5vLsghRNGZtT0pDQ9PVkF +xdKQnhRbsvPbhl29QQtDseBMWcFAJ8tpq31IZJtch0aWdpaPLCLP06UMF/rwp7udtiZ WVOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=8IFUkJPw/kRc69ZxpOZH7IdKr2uNB4GcMACMPjhB0mM=; b=El7i8N7N5vST/3xm/HcTszpG9I7v6WAYdIArk0qW3LZuNJvlLCpDju76TmHkX9FfKk b79ZilE635nIF+9g0ZpsD4Yn3NgqtQ2hkanWibnM+hwVgOFS2tfDnbj70auvloks7M5Y Ov1RecWCGdnMLhogshJrfkgYd6ALe3gJKzkYZZgKkRGHngYGBOFFR/qukSxpy1WxE9Yu weJhSVgIYcrXGSPqde8N4j0ZbOql4PxPovCf/giGYvQk7DlxPlPPqzN9LdNgKGPbRh7t 4ueghp4zfCZgkWdeBGJhJx/7xAG/7JDSwEwyITairX+k+BjGzkNSVEOGGY9vjfF/igwE 8pyA== X-Gm-Message-State: AOAM533/psRwKGqo4Vwq+4EQmKY/bn+jq2JIMtlPlhExYkdUz3pmP/G7 sc8AvBbQYPATSOoKBfE8UL2HdRDtOzXilWAbAG6Jhw== X-Google-Smtp-Source: ABdhPJzN5UXlteDmV4gmQvsi+vrDa7wXLtdd0FT669/Cj8yL3OSvmpnW8FNcV9j4cLbSCSgCO88bO4oWC48rzvXf8wo= X-Received: by 2002:a17:906:1f94:: with SMTP id t20mr8931066ejr.493.1601567300584; Thu, 01 Oct 2020 08:48:20 -0700 (PDT) MIME-Version: 1.0 References: <45f07f17-18b6-d187-0914-6f341fe90857@gmail.com> <20201001125043.dj6taeieatpw3a4w@gmail.com> In-Reply-To: <20201001125043.dj6taeieatpw3a4w@gmail.com> From: Jann Horn Date: Thu, 1 Oct 2020 17:47:54 +0200 Message-ID: Subject: Re: For review: seccomp_user_notif(2) manual page To: Christian Brauner Cc: "Michael Kerrisk (man-pages)" , linux-man , Song Liu , Will Drewry , Kees Cook , Daniel Borkmann , Giuseppe Scrivano , Robert Sesek , Linux Containers , lkml , Alexei Starovoitov , bpf , Andy Lutomirski , Christian Brauner Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 1, 2020 at 2:54 PM Christian Brauner wrote: > On Wed, Sep 30, 2020 at 05:53:46PM +0200, Jann Horn via Containers wrote: > > On Wed, Sep 30, 2020 at 1:07 PM Michael Kerrisk (man-pages) > > wrote: > > > NOTES > > > The file descriptor returned when seccomp(2) is employed with = the > > > SECCOMP_FILTER_FLAG_NEW_LISTENER flag can be monitored us= ing > > > poll(2), epoll(7), and select(2). When a notification is pe= nd=E2=80=90 > > > ing, these interfaces indicate that the file descriptor is re= ad=E2=80=90 > > > able. > > > > We should probably also point out somewhere that, as > > include/uapi/linux/seccomp.h says: > > > > * Similar precautions should be applied when stacking SECCOMP_RET_USER= _NOTIF > > * or SECCOMP_RET_TRACE. For SECCOMP_RET_USER_NOTIF filters acting on t= he > > * same syscall, the most recently added filter takes precedence. This = means > > * that the new SECCOMP_RET_USER_NOTIF filter can override any > > * SECCOMP_IOCTL_NOTIF_SEND from earlier filters, essentially allowing = all > > * such filtered syscalls to be executed by sending the response > > * SECCOMP_USER_NOTIF_FLAG_CONTINUE. Note that SECCOMP_RET_TRACE can eq= ually > > * be overriden by SECCOMP_USER_NOTIF_FLAG_CONTINUE. > > > > In other words, from a security perspective, you must assume that the > > target process can bypass any SECCOMP_RET_USER_NOTIF (or > > SECCOMP_RET_TRACE) filters unless it is completely prohibited from > > calling seccomp(). This should also be noted over in the main > > seccomp(2) manpage, especially the SECCOMP_RET_TRACE part. > > So I was actually wondering about this when I skimmed this and a while > ago but forgot about this again... Afaict, you can only ever load a > single filter with SECCOMP_FILTER_FLAG_NEW_LISTENER set. If there > already is a filter with the SECCOMP_FILTER_FLAG_NEW_LISTENER property > in the tasks filter hierarchy then the kernel will refuse to load a new > one? > > static struct file *init_listener(struct seccomp_filter *filter) > { > struct file *ret =3D ERR_PTR(-EBUSY); > struct seccomp_filter *cur; > > for (cur =3D current->seccomp.filter; cur; cur =3D cur->prev) { > if (cur->notif) > goto out; > } > > shouldn't that be sufficient to guarantee that USER_NOTIF filters can't > override each other for the same task simply because there can only ever > be a single one? Good point. Exceeeept that that check seems ineffective because this happens before we take the locks that guard against TSYNC, and also before we decide to which existing filter we want to chain the new filter. So if two threads race with TSYNC, I think they'll be able to chain two filters with listeners together. I don't know whether we want to eternalize this "only one listener across all the filters" restriction in the manpage though, or whether the man page should just say that the kernel currently doesn't support it but that security-wise you should assume that it might at some point. [...] > > > if (procMemFd =3D=3D -1) > > > errExit("Supervisor: open"); > > > > > > /* Check that the process whose info we are accessing is s= till alive. > > > If the SECCOMP_IOCTL_NOTIF_ID_VALID operation (performe= d > > > in checkNotificationIdIsValid()) succeeds, we know that= the > > > /proc/PID/mem file descriptor that we opened correspond= s to the > > > process for which we received a notification. If that p= rocess > > > subsequently terminates, then read() on that file descr= iptor > > > will return 0 (EOF). */ > > > > > > checkNotificationIdIsValid(notifyFd, req->id); > > > > > > /* Seek to the location containing the pathname argument (= i.e., the > > > first argument) of the mkdir(2) call and read that path= name */ > > > > > > if (lseek(procMemFd, req->data.args[0], SEEK_SET) =3D=3D -= 1) > > > errExit("Supervisor: lseek"); > > > > > > ssize_t s =3D read(procMemFd, path, PATH_MAX); > > > if (s =3D=3D -1) > > > errExit("read"); > > > > Why not pread() instead of lseek()+read()? > > With multiple arguments to be read process_vm_readv() should also be > considered. process_vm_readv() can end up doing each read against a different process, which is sort of weird semantically. You would end up taking page faults at random addresses in unrelated processes, blocking on their mmap locks, potentially triggering their userfaultfd notifiers, and so on. Whereas if you first open /proc/$tid/mem, then re-check SECCOMP_IOCTL_NOTIF_ID_VALID, and then do the read, you know that you're only taking page faults on the process where you intended to do it. So until there is a variant of process_vm_readv() that operates on pidfds, I would not recommend using that here.